Joint investigation/inquiry launched to investigate Prospect breach by Jersey, the UK (ICO), Guernsey, and the Isle of Man

By JOIC

18 December 2025

A joint investigation has been launched by the Data Protection authorities of Jersey, the UK (ICO), Guernsey, and Isle of Man into the cyber incident that compromised data of the trade union Prospect Custodian Trustees Ltd (Prospect) in June 2025.

Prospect has more than 160,000 members who work as scientists, engineers, tech experts and in other specialist roles. The organisation holds members’ personal information including financial data and sensitive data such as trade union membership, ethnic origin, sexual orientation, disability, and religious belief.

The joint investigation/inquiry reflects the regulators’ commitment to collaborate on protecting people’s data rights across jurisdictions. By pooling resources and expertise, we will deliver a focused, efficient and expedient inquiry.

The investigation/inquiry will examine:

  • the scope of personal information exposed by the breach and potential harms to affected people;
  • whether Prospect had adequate technical and organisational measures in place to protect the sensitive information it holds;
  • whether Prospect upheld their breach notification obligations;
  • whether Prospect took appropriate steps, in their initial response to the breach, to mitigate any identified risks posed to affected data subjects

Paul Vane, Jersey Information Commissioner said: “Cyber and Phishing attacks are on the rise and are progressively targeting organisations and businesses which span multi-jurisdictionally. We must work collaboratively with other Authorities in order to strengthen our enforcement mechanisms and protect the information and rights of data subjects in affected jurisdictions.”

John Edwards, UK Information Commissioner said: “When people share their most sensitive information with an organisation, they do so with the expectation that it will be handled responsibly and securely. We will be scrutinising the cyber incident at Prospect to check whether those expectations were met. This joint investigation demonstrates our determination to work more closely with our international counterparts to ensure that data protection standards are upheld across all jurisdictions.”

Brent Homan, Data Commissioner for ODPA Guernsey said: “Cyber attacks are increasingly impacting organisations holding data across borders and jurisdictions. International threats demand an international response. By joining forces with our partners in the UK and British Isles we will ensure an elevated level of protection for our collective citizens' data rights.”

Dr Alexandra Delaney-Bhattacharya, Isle of Man Information Commissioner, said: “People place enormous trust in organisations when they hand over their personal information, and that trust must be honoured. By undertaking this coordinated investigation into the incident at Prospect, we are strengthening our collective ability to safeguard individuals’ data.”

Data protection legislation allows the authorities of the UK, Guernsey, Jersey and Isle of Man to work together on matters of impact across the jurisdictions. Each regulator will investigate compliance with the law that it oversees. No further comment will be made while the investigation is ongoing.

Prospect reported a personal data breach to the Jersey Office of the Information Commissioner in relation to the cyber incident that took place in June 2025. The opening of this investigation should not be taken to mean that we have reached a conclusion that Prospect has, or continues to, infringe data protection law.